Csrss.exe issue

[Highlygifted]

I recently did a system restore to fix a microphone problem but that led to a chronic BSOD 5 minutes into login and I'm working in safe mode now.

http://www.megaupload.com/?d=S7BREYV3

Is my dump, if anyone would please read and help me with my predicament, it'd be appreciated.

[cluberti]

I cannot see anything but the crashing thread - there's an LPC message there that would have given some clues, but because you got a mini dump only, the only thing it captures is the thread state at the time of the crash. You'll need a complete dump (see the sticky at the top of this section) before we can really help you. It could very well be the A/V (it's on the stack right before the call to TerminateProcess), but there's no way to say for sure without at least seeing what's at the other end of that LPC chain.

[Highlygifted]

The full size is 2GB which led me to read it myself by barely installing it in regular before BSOD. The results stayed the same-

Probably caused by : csrss.exe

There is a question though. When it was creating the full dump, the BSOD hit a tick of 50 and then rebooted. Should it have normally hit 100? I also suffered from a lack of ability to connect to the internet afterwards so I had to remove Full Dump.

[cluberti]

It may skip from 50 to 100 percent, depending. And yes, it will be csrss.exe, but we would need the data in the full dump. Otherwise, there's not a good way to answer your question -csrss.exe was *told* to close because some other problem on the system (not with csrss) caused it to need to terminate.

Without a full dump, the answer is only a guess (your antivirus).

[Highlygifted]

How should I analyze the full dump file? I have it, but the tool I was told to use says there's missing symbols which I've installed.

[cluberti]

How should I analyze the full dump file? I have it, but the tool I was told to use says there's missing symbols which I've installed.

To fix the symbols after you've opened the .dmp file in windbg, run:

.sympath SRV*C:\symbols*http://msdl.microsoft.com/download/symbols; .reload

Then, run !analyze -v to see the bugcheck analysis (which you already know), then run !thread. You'll see a note in the output "LPC Server thread working on message Id <message #>" - run:

!lpc message <message #>

This will tell you what the *client thread* number is (a 6 number ID). run:

.thread <thread #>; .reload; !thread <thread #>

This will give you the client thread of the server csrss.exe lpc thread that crashed.

If you want to see what I did recently, see the end of this post.

[Highlygifted]

I copy paste

.sympath SRV*C:\symbols*http://msdl.microsoft.com/download/symbols; .reload

http://img15.imageshack.us/my.php?image=step1o.png

Is the result. What should I do? Thank you for your help.

Update: After a day of effort, I've done more work.

Chkdsk from the Command Line shows no problem, neither does CCleaner, save a few-

http://img3.imageshack.us/my.php?image=step2e.png

Honestly, I'm lost on what to do. I'm tired of this issue but I refuse to take the most drastic line of action. Is there anything I can do with the Windows XP disc?

Tried to do a Repair Install- Session 3 Initialization Failed 0x0000006F

Should I try again?

Edited March 21, 2009 by Highlygifted

[cluberti]

If you can zip the dmp file, PM me for an FTP upload location.

[Highlygifted]

http://www.megaupload.com/?d=6HHMOHCV

I uploaded the kernel version, will this work?

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s; .reload' to set symbol path and load symbols.

MODULE_NAME: csrss

FAULTING_MODULE: 00000000 

DEBUG_FLR_IMAGE_TIMESTAMP:  0

PROCESS_OBJECT: 8a6ccb48

IMAGE_NAME:  csrss.exe

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xF4

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
b620dcd0 805d03ab 000000f4 00000003 8a6ccb48 nt!KeBugCheckEx+0x1b
b620dcf4 805d12af 805d1204 8a6ccb48 8a6cccbc nt!PsSetLegoNotifyRoutine+0x105
b620dd24 b5f77451 8a6ccd90 c0000005 b620dd64 nt!PsGetProcessExitTime+0xa87
b620dd54 8054088c 00000000 c0000005 033febcc avipbb+0x5451
b620dd64 7c90eb94 badb0d00 033feb94 00200061 nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
b620dd68 badb0d00 033feb94 00200061 00540028 0x7c90eb94
b620dd6c 033feb94 00200061 00540028 00000000 0xbadb0d00
b620dd70 00200061 00540028 00000000 00000000 0x33feb94
b620dd74 00540028 00000000 00000000 00000000 0x200061
b620dd78 00000000 00000000 00000000 00000000 0x540028


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner

Is all the information I can get on my behalf using your instructions.

Edited March 22, 2009 by cluberti
added code tags to tidy the post up a bit

[cluberti]

You have the same problem as this guy - sqlcmd.exe is probably causing it. See the above post, then look at this - again, it's only kernel mode, but I'd guess a user-mode dump would also look the same as the one in the post linked above. Take a look:

// csrss.exe crashing, as we're already aware:
1: kd> !thread
THREAD 89ff66e8  Cid 037c.0404  Teb: 7ffd6000 Win32Thread: e2b619e8 RUNNING on processor 1
Impersonation token:  e2cb9988 (Level Impersonation)
Owning Process			0	   Image:		 <Unknown>
Attached Process		  8a6ccb48	   Image:		 csrss.exe
Wait Start TickCount	  9749		   Ticks: 0
Context Switch Count	  907				 LargeStack
UserTime				  00:00:00.093
KernelTime				00:00:00.046
Win32 Start Address 0x000085c6
LPC Server thread working on message Id 85c6
Start Address 0x75b44616
Stack Init b620e000 Current b620d744 Base b620e000 Limit b620b000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child			  
b620dcd0 805d03ab 000000f4 00000003 8a6ccb48 nt!KeBugCheckEx+0x1b (FPO: [5,0,0])
b620dcf4 805d12af 805d1204 8a6ccb48 8a6cccbc nt!PspCatchCriticalBreak+0x75 (FPO: [3,0,0])
b620dd24 b5f77451 8a6ccd90 c0000005 b620dd64 nt!NtTerminateProcess+0x7d (FPO: [2,4,4])
WARNING: Stack unwind information not available. Following frames may be wrong.
b620dd54 8054088c 00000000 c0000005 033febcc avipbb+0x5451
b620dd54 7c90eb94 00000000 c0000005 033febcc nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b620dd64)
033febcc 00000000 00000000 00000000 00000000 0x7c90eb94

// Since there's no user-mode portion to a kernel-only dump, we can't see the whole stack,
// but we can see that we're trying to run code at 7c90eb94:
1: kd> .trap b620dd64
ErrCode = 00000000
eax=00000000 ebx=00000001 ecx=033feb40 edx=7c90eb94 esi=00000000 edi=033febf4
eip=7c90eb94 esp=033feb8c ebp=033febcc iopl=3		 nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000			 efl=00003207
001b:7c90eb94 ??			  ???

// Checking the lpc message from the csrss.exe thread, we can see that the client to the
// csrss.exe server thread above is 8920ea28:
1: kd> !lpc message 85c6
Searching message 85c6 in threads ...
	Server thread 89ff66e8 is working on message 85c6						 
Client thread 8920ea28 waiting a reply from 85c6						  
Searching thread 8920ea28 in port rundown queues ...

Server communication port 0xe2313830
	Handles: 1   References: 1
	The LpcDataInfoChainHead queue is empty
		Connected port: 0xe1a8bf68	  Server connection port: 0xe1522ec0

Client communication port 0xe1a8bf68
	Handles: 1   References: 3
	The LpcDataInfoChainHead queue is empty

Server connection port e1522ec0  Name: ApiPort
	Handles: 1   References: 140
	Server process  : 8a6ccb48 (csrss.exe)
	Queue semaphore : 8a6d47e8
	Semaphore state 0 (0x0) 
	The message queue is empty
	The LpcDataInfoChainHead queue is empty
Done.											  

// Looking at thread 8920ea28, we can see it's sqlcmd.exe, just like the post I linked above:
1: kd> !thread 8920ea28
THREAD 8920ea28  Cid 0bd8.0bdc  Teb: 7ffdf000 Win32Thread: e10e1008 WAIT: (WrLpcReply) UserMode Non-Alertable
	8920ec1c  Semaphore Limit 0x1
Waiting for reply to LPC MessageId 000085c6:
Current LPC port e1a8bf68
Not impersonating
DeviceMap				 e1009228
Owning Process			0	   Image:		 <Unknown>
Attached Process		  89264730	   Image:		 sqlcmd.exe
Wait Start TickCount	  9747		   Ticks: 2 (0:00:00:00.031)
Context Switch Count	  61				 LargeStack
UserTime				  00:00:00.000
KernelTime				00:00:00.000
Win32 Start Address 0x01019521
Start Address 0x7c810867
Stack Init b9d30000 Current b9d2fc50 Base b9d30000 Limit b9d2c000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr  Args to Child			  
b9d2fc68 80502d46 8920ea98 8920ea28 804faf40 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
b9d2fc74 804faf40 8920ec1c 8920ebf0 8920ea28 nt!KiSwapThread+0x8a (FPO: [0,0,0])
b9d2fc9c 805a1e87 00000001 00000011 0006d401 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b9d2fd50 8054088c 000007ec 0006d4a0 0006d4a0 nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo])
b9d2fd50 7c90eb94 000007ec 0006d4a0 0006d4a0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b9d2fd64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006d46c 00000000 00000000 00000000 00000000 0x7c90eb94

// Again the trap frame showing us trying to run code from 7c90eb94:
1: kd> .trap b9d2fd64
ErrCode = 00000000
eax=339a6000 ebx=00000000 ecx=0000ffff edx=00000002 esi=0006d4a0 edi=001a0688
eip=7c90eb94 esp=0006d44c ebp=0006d46c iopl=0		 nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000			 efl=00000246
001b:7c90eb94 ??			  ???

// I can see you attempting to run a SQL update, again, just like the previous post I linked:
PROCESS 89231938  SessionId: 0  Cid: 0a74	Peb: 7ffd8000  ParentCid: 0924
	DirBase: 0af901c0  ObjectTable: e12052e8  HandleCount:  42.
	Image: SQLServer2005ExpressSP3-KB955706-x86-ENU.exe

What worked for the other person was to stop all SQL services (entirely), make sure sqlcmd.exe wasn't running, and *then* install all SQL updates. After a reboot, everything was fine - considering you have the *exact* same crash, and I can see a SQL update running, I'm guessing this is also the same problem.

[Highlygifted]

So is it vital or anything? Should/how would I just remove it or replace it if it is important.

[cluberti]

So is it vital or anything? Should/how would I just remove it or replace it if it is important.

Updating to SQL 2005 SP3 is important, yes - I would set all SQL services to disabled in services (services.msc), reboot, let Windows Update install the update, then set all SQL services back to their previous settings and reboot.

That should fix it.

[Highlygifted]

Thanks, I'll get to it- but how would I stop all SQL services? I tried reading some instructions but it didn't get me anywhere.

Edit: IT WORKS! Thank you so much for your help. This was the first really serious situation where I relied on professional help to actually pull through. Before I never had to actually rely so whole heartedly on aid. This whole ordeal has showed me how much more I have to learn. Thanks Again.

Edited March 22, 2009 by Highlygifted

[cluberti]

No worries, glad to hear it works.

[cluberti]

For what it's worth, it looks like this was documented:

http://blogs.msdn.com/psssql/archive/2009/...ermination.aspx